b'      SEC\xe2\x80\x99s Controls Over Government\n      Furnished Equipment and\n      Contractor Acquired Property\n\n\n\n\n                                           March 28, 2012\n                                           Report No. 503\n\nAudit Conducted by Castro & Company, LLC\n\x0c                                               UNITED STATES\n\n                           SECURITIES AND EXCHANGE COMMISSION\n                                        WASHINGTON, D.C.     20549\n\n\n    OFFICE OF\n\nINSPECTOR GENERAL\n\n\n\n\n                                      MEMORANDUM\n\n                                               March 28, 2012\n\n\n          To:            Jayne Seidman, Acting Director, Office of Administrative\n                           Services (OAS)\n                         Thomas Bayer, Chief Information Officer, Office of Information\n                           Technolo   \xef\xbf\xbd(OIT)\n\n\n                                            \xef\xbf\xbd\n                                                  70\xef\xbf\xbd\xef\xbf\xbd\n           From:         No   e   aloney,         Inspector General, Office of Inspector\n                           G n ral (OIG)\n\n\n          Subject:       SEC\'s Controls Over Government Furnished Equipment and\n                         Contractor Acquired Property, Report No. 503\n\n\n          This memorandum transmits the U.S. Securities and Exchange Commission\n           OIG\'s final report detailing the results of our audit on the SEC\'s controls over\n          government furnished equipment and contractor acquired property. This audit\n          was conducted as part of our continuous effort to assess management of the\n          Commission\'s programs and operations and as a part of our annual audit plan.\n\n\n          The final report contains nine recommendations which if fully implemented\n          should strengthen the Commission\'s controls over government furnished\n          equipment and contractor acquired property. OAS and OIT concurred with all the\n          report\'s recommendations. Your written response to the draft report is included\n          in Appendix V.\n\n\n          Within the next 45 days, please provide the OIG with a written corrective action\n          plan that is designed to address the recommendations identified in our final\n          report. The corrective action plan should include information such as the\n          responsible official/point of contact, timeframes for completing required actions,\n           and milestones identifying how you will address the recommendations.\n\n\n\n\n           SEC Controls Over GFE and CAP                                          March 28, 2012\n           Report No. 503\n                                                   Page ii\n\x0cShould you have any questions regarding this report, please do not hesitate to\ncontact me. We appreciate the courtesy and cooperation that you and your staff\nextended to our contractors.\n\nAttachment\n\ncc:   James R. Burns, Deputy Chief of Staff, Office of the Chairman\n      Luis A. Aguilar, Commissioner\n      Troy A. Paredes, Commissioner\n      Elisse B. Walter, Commissioner\n      Daniel M. Gallagher, Commissioner\n      Jeff Heslop, Chief Operating Officer\n      Vance Cathell, Deputy Director, Office of Administrative Services\n      Todd Scharf, Chief Information Security Officer, Office of Information\n       Technology\n\n\n\n\nSEC Controls Over GFE and CAP                                       March 28, 2012\nReport No. 503\n                                    Page iii\n\x0cSEC\xe2\x80\x99s Controls Over Government Furnished\nEquipment and Contractor Acquired\nProperty\n\n                                Executive Summary\nBackground. The U.S. Securities and Exchange Commission (SEC or\nCommission) Office of Inspector General (OIG) contracted with Castro &\nCompany, LLC to conduct an audit of the SEC\xe2\x80\x99s Government Furnished\nEquipment (GFE) and Contractor Acquired Property (CAP), and to identify\npotential areas for improvement.\n\nThe SEC\xe2\x80\x99s mission is to protect investors; maintain fair, orderly, and efficient\nmarkets; and facilitate capital formation. The SEC accomplishes much of its\nmission through the use of contractors and frequently provides its contractors\nwith information technology equipment to use.\n\nFederal Acquisition Regulation (FAR) Part 45 \xe2\x80\x93 Government Property defines\nGFE or, Government Furnished Property (GFP), as property in the possession\nof, or directly acquired by, the government and subsequently furnished to the\ncontractor for performance of a contract. It further defines CAP as property\nacquired, fabricated, or otherwise provided by the contractor for performing a\ncontract and to which the government has title. 1 Examples of GFP include\nservers and machinery the government provides to a contractor to use at the\ncontractor\xe2\x80\x99s facility to perform the terms of its contract. For simplicity, throughout\nthis report GFE and CAP will be referred to as GFP.\n\nWhen the SEC issues GFP to a contractor, the contractor is required to manage\nand account for GFP in accordance with the FAR, and the contractor is required\nto have a system to manage (i.e., control, use, preserve, protect, repair and\nmaintain) the government property in its possession. In doing so, the contractor\nshould initiate and maintain the processes, systems, procedures, records, and\nmethodologies necessary for effective control of government property. To\nensure contractors comply with these requirements, contractors should develop\nproperty management systems. 2\n\nThe Commission has approximately 3,500 employees and 1,400 contract\nemployees who are located at its Headquarters site in Washington, D.C., the\nOperations Center in Alexandria, VA, and its 11 regional offices located\n\n1\n  Federal Acquisition Regulation, Part 45 \xe2\x80\x93 Government Property, Clause 45.101 \xe2\x80\x93 Definitions,\nhttps://www.acquisition.gov/far/html/FARTOCP45.html.\n2\n  Federal Acquisition Regulation, Part 52.245-1 - Government Property, Clause (b)(1), Property\nmanagement, https://www.acquisition.gov/far/html/52_245.html.\nSEC Controls Over GFE and CAP                                                             March 28, 2012\nReport No. 503\n                                                Page iv\n\x0cthroughout the country. The scope of our audit primarily covered SEC\xe2\x80\x99s Office of\nAdministrative Services (OAS), Office of Information Technology (OIT), and\nOffice of Financial Management (OFM).\n\nOAS assists the SEC with managing its facilities and assets, and provides a wide\nrange of support services to SEC staff. OAS provides service to SEC employees\nagency-wide on matters such as procurement and contracting, property\nmanagement, office lease acquisition and administration, space renovation,\nsupplies and office equipment management, transportation, mail distribution,\npublications, printing, and desktop publishing. OAS\xe2\x80\x99 Associate Executive\nDirector is the Property Management Officer who has oversight of the SEC\xe2\x80\x99s\nproperty management program.\n\nOIT supports the SEC employees regarding all aspects of information\ntechnology. OIT further has overall management responsibility for the\nCommission\'s information technology program including application\ndevelopment, infrastructure operations and engineering, user support,\ninformation technology program management, capital planning, security, and\nenterprise architecture. OIT\xe2\x80\x99s Asset Management Branch (AMB) is responsible\nfor establishing property management policies for information technology\nequipment, including serving as the inventory control point for the acquisition,\nstorage and issuance of information technology equipment; serving as the\nutilization coordinator for the reassignment and disposal of information\ntechnology assets; and interfacing with the Assistant Property Management\nOfficer regarding all information technology property issues.\n\nOFM administers the SEC\xe2\x80\x99s financial management and budget functions, and is\nresponsible for accounting policies, procedures, and operations, including\noverseeing internal control procedures to ensure accountability of property and\nreconciliation of the SEC\xe2\x80\x99s official property records to the general ledger control\naccounts.\n\nObjectives. The overall objective of the audit was to determine whether\nsufficient management controls over government property held by contractors\nwere in-place and operating effectively. The specific audit objectives were to\ndetermine whether:\n\n   \xe2\x80\xa2   SEC has reliable records to assess which contractors have\n       received GFP and the dollar value of the assets provided,\n   \xe2\x80\xa2   Contracting Officer Representatives or others responsible for\n       administration of property, are properly trained and are performing\n       their required duties in accordance with the SEC policy,\n   \xe2\x80\xa2   Contractors that were provided GFP by the SEC have performed\n       annual inventories of property in accordance with their contracts\n       and the FAR,\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page v\n\x0c    \xe2\x80\xa2   SEC and contractors that were provided GFP by the SEC have\n        adequate policies and procedures for the management and\n        disposal of property, including the sanitization and disposal of IT\n        property such as media, magnetic tapes, removable media, and\n        hard drives which can contain sensitive data; and\n    \xe2\x80\xa2   Assets held by contractors are properly accounted for and reported\n        in the SEC\xe2\x80\x99s financial statements.\n\nWhere appropriate, we also identified areas for improvement.\n\nResults. We identified a number of control deficiencies concerning the SEC\xe2\x80\x99s\nmanagement and accountability over GFP. Specifically, the audit found that\nOAS and OIT could not identify the universe of GFP the SEC has issued to its\ncontractors. Additionally, OAS, in conjunction with OIT have not clearly identified\nin the SEC Administrative Regulation (SECR), SECR 9-2, Property Management\nProgram, and SECR 9-3, Report of Survey Program, the specific property items\nthat it has designated as GFP, or the particular circumstances that are needed to\nmeet the GFP requirements in the Federal Acquisition Regulation (FAR), Part 45\n\xe2\x80\x93 Government Property, including Section 45.101 \xe2\x80\x93 Definitions and Section\n45.103 - General. 3 Because OAS and OIT have not identified the universe of\nGFP and have not clearly defined what it considers to be GFP, there is an\nincreased risk of the SEC not complying with the FAR and property that is lost,\nstolen, or misused may not be detected.\n\nIn addition, we found that the Configuration Management Database (CMDB)\nutilized by AMB to monitor information technology equipment, including GFP is\nnot reliable due to the fact that controls are insufficient to ensure the information\nin the database is accurate and complete. Additionally, AMB did not have proper\npolicies and procedures related to the accountability of information technology\nequipment, including coordinating with the Contracting Officer Representatives,\nor other Property Accountability Officers, as designated in the contract, to ensure\nthat government issued property items are properly returned to OIT when the\ncontractor is no longer using the property item or when the contract with the\nvendor is no longer active.\n\nFurther, we found that information technology equipment provided to contractors\nthat AMB is required to monitor is not appropriately tracked, monitored, or\ninventoried. In addition, AMB does not have up-to-date policies and procedures\nto ensure the effective accountability of information technology equipment,\nincluding GFP. AMB has not conducted a wall-to-wall inventory of the SEC\xe2\x80\x99s\ninformation technology equipment since 2009. The last inventory that was\nconducted included information technology equipment at the SEC\xe2\x80\x99s\nHeadquarters, Operations Center, and regional offices. To properly account for\ninformation technology equipment, in February 2012, AMB began a wall-to-wall\n3\n Federal Acquisition Regulation (FAR), Part 45 \xe2\x80\x93 Government Property, Section 45.101 \xe2\x80\x93 Definitions and\nSection 45.103 \xe2\x80\x93 General.\nSEC Controls Over GFE and CAP                                                           March 28, 2012\nReport No. 503\n                                               Page vi\n\x0cinventory of the SEC\xe2\x80\x99s information technology equipment at its Headquarters,\nOperations Center, and regional offices locations. Once the inventory is\ncompleted AMB then plans to conduct an inventory every two years thereafter.\n\nFinally, we found that Contracting Officers, Contract Specialists, and Contracting\nOfficer Representatives are not properly trained regarding their responsibilities as\nit relates to contracts containing provisions for contractor who are issued GFP.\nIn 10 out of the 30 contracts we sampled there was a section stating the\ncontractor would be provided GFP. For example, one contract contained a\nsection that stated, \xe2\x80\x9cGovernment Furnished Facilities and Equipment. The SEC\nshall provide office space and computers for contractor personnel.\xe2\x80\x9d However,\nOAS informed us that this equipment is generally provided to all contractors and\nis not considered GFP. Therefore, the GFP section was erroneously included in\nthe contracts. Based on interviews we conducted, there is confusion with the\nContracting Officer Representative\xe2\x80\x99s understanding of the definition of GFP, their\nresponsibilities for monitoring property that is provided to contractors, whether\nthere are procedures for assigning GFP to contractors, and collecting or\ndisposing of GFP when a contract employee exits a contract.\n\nSummary of Recommendations. Based on the results of our audit, we made\nthe following recommendations:\n\n   (1) The Office of Administrative Services (OAS), in conjunction with the Office\n       of Information Technology (OIT), should revise SECR 9-3, Report of\n       Survey Program and SECR 9-2, Property Management Program, and\n       clearly define property that is designated as Government Furnished\n       Property (GFP). OAS and OIT should further identify in SECR 9-3 and 9-2\n       the particular circumstances that are needed to meet the GFP\n       requirements in accordance with Part 45 of the Federal Acquisition\n       Regulation.\n\n   (2) The Office of Information Technology (OIT) should revise its policy to\n       specify how often the office will conduct wall-to-wall inventories of the\n       SEC\xe2\x80\x99s information technology equipment and how frequently the\n       Configuration Management Database (CMDB) should be updated. In\n       performing the inventories, OIT should ensure that:\n\n       \xe2\x80\xa2   All relevant fields related to asset management in the CMDB are\n           accurate and properly completed, including verifying that\n           individuals using the property items are properly identified within\n           the database;\n       \xe2\x80\xa2   Equipment in regional offices is included in the wall-to-wall\n           inventory; and\n       \xe2\x80\xa2   Fields in the CMDB that capture contract numbers and contract\n           expiration dates using the Active Directory.\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page vii\n\x0c   (3) The Office of Information Technology (OIT) should coordinate with the\n       Contracting Officer Representative or other Property Accountability\n       Officer, as designated in the contract, to ensure that government issued\n       property items are properly returned to the OIT and the items are promptly\n       removed from the Configuration Management Database when the\n       contractor is no longer using it or when the contract is no longer active.\n\n   (4) The Office of Information Technology should develop and implement\n       procedures for monitoring information technology equipment at the\n       regional offices that is communicated to appropriate personnel. These\n       procedures should include the regional office\xe2\x80\x99s roles in monitoring\n       information technology equipment issued to contractors, including their\n       responsibilities when a contractor employee exits a contract or when the\n       equipment is moved to a new location.\n\n   (5) The Office of Information Technology should revise its policies and\n       procedures to establish clear accountability within the Asset Management\n       Branch that is associated with properly tracking and monitoring\n       information technology equipment, including documenting the issuance\n       and receipt of information technology equipment to specific Commission\n       contractors.\n\n   (6) When the Office of Information Technology completes the 2012, wall-to-\n       wall inventory of information technology equipment, it should use this\n       information to establish a baseline of the equipment in the Configuration\n       Management Database.\n\n   (7) The Office of Administrative Services, in conjunction with the Office of\n       Information Technology, should develop periodic training for Contracting\n       Officers, Contract Specialists, and Contracting Officer Representatives\n       that clearly defines and addresses their responsibilities related to\n       government furnished property consistent with Part 45 of the Federal\n       Acquisition Regulation, Government Property and SECR 9-2, Property\n       Management Program.\n\n   (8) The Office of Administrative Services should ensure when the\n       Commission issues Government Furnished Property to contractors, the\n       Contracting Officer (and where appropriate the Contract Specialist),\n       includes language in the contract that specifies:\n\n          \xe2\x80\xa2   The name of the equipment,\n          \xe2\x80\xa2   What equipment will be retained, disposed of, or returned to the\n              government,\n          \xe2\x80\xa2   When the equipment will be disposed of or returned to the\n              government, and\n          \xe2\x80\xa2   Who can accept the returned equipment.\nSEC Controls Over GFE and CAP                                        March 28, 2012\nReport No. 503\n                                    Page viii\n\x0c   (9) The Office of Information Technology should issue Government Furnished\n       Property to contractors only after it obtains proof that the vendor\xe2\x80\x99s contract\n       has language authorizing the contractor to receive the equipment.\n\n\n\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page ix\n\x0cTABLE OF CONTENTS\nExecutive Summary ............................................................................................. iv\n\nTable of Contents ................................................................................................. x\n\nBackground and Objectives............................................................................... 1\n     Background ............................................................................................... 1\n     Objectives .................................................................................................. 5\n\nFindings and Recommendations....................................................................... 6\n      Finding 1: The SEC Could Not Identify the Universe of Property Issued to\n                  Contractors ............................................................................. 6\n                   Recommendation 1............................................................... 7\n\n         Finding 2: The Configuration Management Database Is Not Reliable for\n                     Identifying Information Technology Equipment........................ 8\n                       Recommendation 2............................................................. 10\n                       Recommendation 3............................................................. 11\n                       Recommendation 4............................................................. 11\n\n         Finding 3: OIT Has Not Conducted Timely Inventory of the SEC\xe2\x80\x99s\n                     Information Technology Equipment and Lacks Up-to-Date\n                     Information Technology Equipment Policies and\n                     Procedures\xe2\x80\xa6. ....................................................................... 12\n                       Recommendation 5............................................................. 13\n                       Recommendation 6............................................................. 14\n\n         Finding 4: Contracting Officers, Contract Specialists, and Contracting\n         Officer Representatives Have Not Received Adequate Training Related to\n         Government Furnished Property .............................................................. 14\n                      Recommendation 7............................................................. 17\n                      Recommendation 8............................................................. 18\n                      Recommendation 9............................................................. 18\n\nAppendices\n     Appendix I:             Abbreviations. ..................................................................... 19\n     Appendix II:            Scope and Methodology ..................................................... 20\n     Appendix III:           Criteria ................................................................................ 24\n     Appendix IV:            List of Recommendations ................................................... 26\n     Appendix V:             Management Comments .................................................... 29\n     Appendix VI:            OIG Response to Management Comments ........................ 34\n\n\n\n\nSEC Controls Over GFE and CAP                                                                        March 28, 2012\nReport No. 503\n                                                      Page x\n\x0c                   Background and Objectives\n\nBackground\nThe U.S. Securities and Exchange Commission (SEC or Commission) Office of\nInspector General (OIG), in accordance with its annual audit plan, contracted\nwith Castro & Company, LLC (Castro & Co) to conduct an audit of the SEC\xe2\x80\x99s\ncontrols over Government Furnished Equipment (GFE) and Contractor Acquired\nProperty (CAP). The SEC\xe2\x80\x99s mission is to protect investors; maintain fair, orderly,\nand efficient markets; and facilitate capital formation. The SEC accomplishes\nmuch of its mission through the use of contractors, and frequently provides its\ncontractors with information technology equipment to aid in carrying out its work.\n\nThe Federal Acquisition Regulation (FAR) Part 45 \xe2\x80\x93 Government Property\ndefines GFE or, Government Furnished Property (GFP), as follows:\n\n        \xe2\x80\x9cGovernment-furnished property" means property in the\n        possession of, or directly acquired by, the Government and\n        subsequently furnished to the contractor for performance of\n        a contract\xe2\x80\xa6\n\nGFP also includes contractor-acquired property that is a deliverable under a cost\ncontract that is accepted by the government for continued use under the\ncontract. 4\n\nThe FAR defines CAP as \xe2\x80\x9cproperty acquired, fabricated, or otherwise provided by\nthe contractor for performing a contract and to which the government has title.\xe2\x80\x9d 5\nExamples of GFP include servers or machinery that the government provides to\na contractor to use at the contractor facility to perform the terms of its contract.\nFor simplicity, throughout this report GFE and CAP will be referred to as GFP.\n\nThe FAR requires contractors \xe2\x80\x9chave a system to manage (i.e., control, use,\npreserve, protect, repair and maintain) government property\xe2\x80\x9d that is in its\npossession and to initiate and maintain processes, systems, procedures,\nrecords, and methodologies necessary for effective control of the government\nproperty. 6\n\nThe SEC has approximately 3,500 employees and 1,400 contract employees\nwho work at its Headquarters site in Washington, D.C., the Operations Center in\nAlexandria, VA, and its 11 regional offices located throughout the country. The\n\n4\n  FAR 45.101, Definitions\n5\n  FAR 45.101, Definitions.\n6\n  FAR 52.245-1(b)(1) - Government Property management, Clause (b)(1), Property management,\nhttps://www.acquisition.gov/far/html/52_245.html.\nSEC Controls Over GFE and CAP                                                       March 28, 2012\nReport No. 503\n                                             Page 1\n\x0cscope of our audit primarily covered the SEC\xe2\x80\x99s Office of Administrative Services\n(OAS), Office of Information Technology (OIT), and Office of Financial\nManagement (OFM).\n\nThe SEC Administrative Regulation (SECR) 9-2, Property Management Program,\nprescribes the policies and procedures governing the development,\nadministration, application, and oversight of the SEC\xe2\x80\x99s personal property\nmanagement program to ensure that public assets under SEC custody are\neffectively and efficiently managed and controlled. The SECR 9-2 applies to\npersonal property that is purchased or leased by the SEC. 7 Additionally, SECR\n9-2 does not address GFP except by stating, \xe2\x80\x9cIt should be noted that government\nfurnished property used by a contractor off-site is governed by the Federal\nAcquisition Regulation.\xe2\x80\x9d\n\nOAS\xe2\x80\x99s Role With GFP\nThe Property Management Officer is OAS\xe2\x80\x99 Associate Executive Director, and is\nresponsible for the SEC\xe2\x80\x99s property management program. The Property\nManagement Officer\xe2\x80\x99s responsibilities include establishing policies, standards,\nand guidance in accordance with applicable laws, regulations, and sound\npersonal property management practices and standards, and assessing the\neffectiveness of the Commission\xe2\x80\x99s personal property activities to ensure that\nsound, economical and efficient systems and internal controls are in place.\n\nOAS conducts annual inventories of all accountable SEC property \xe2\x80\x93 items with\nan original acquisition cost of $5,000 or more - in Momentum\xe2\x80\x99s Fixed Asset\nModule (FAM) accounting system. 8 Accountable property includes items such as\ninternal use software and leasehold improvements, with an original acquisition\ncost of $5,000 or more. This property is subject to being inventoried each year\nand it is entered into FAM. 9 Information technology equipment not meeting the\n$5,000 accountable property threshold is not required to be inventoried in FAM.\nOAS conducts annual physical inventories on all accountable property, including\ninformation technology equipment that cost more than $5,000, and enters the\nresulting data in FAM.\n\nAll Momentum modules, including FAM, are scheduled to be closed for new data\nentry as of March 31, 2012, as the SEC transitions to a new Financial Shared\nServices Provider, Delphi Accounting System (Oracle Financials). At that time,\nexisting SEC accountable property in FAM will be converted to the Oracle Assets\nModule.\n\n\n\n7\n  SECR 9-2, Property Management Program (Mar. 16, 2009) cover letter and ch.1.1 \xe2\x80\x93 Purpose.\n8\n  Momentum is the SEC\xe2\x80\x99s accounting system. Fixed Asset Module (FAM), is a separate module in\nMomentum that is SEC\xe2\x80\x99s property management system.\n9\n  SECR 9-2, section 1-5(C).\nSEC Controls Over GFE and CAP                                                        March 28, 2012\nReport No. 503\n                                              Page 2\n\x0cOAS tracks all the SEC contracts in the Federal Procurement Data System\n(FPDS) and will continue to do so after the SEC\xe2\x80\x99s transition to Oracle\nFinancials. 10 FPDS includes a field that Contracting Officers can use to identify\ncontracts that authorize the issuance of GFP during the contract\xe2\x80\x99s period of\nperformance. If the SEC provides GFP to a contractor, the FAR requires that the\nContracting Officer insert the government property clause FAR Part 52.245.1, in\nits entirety, into the contract. Contracting Officer Representatives are\nresponsible for ensuring that GFP, as specified in a contract, is available when\nauthorized and for reporting any accountable property to the contracting officer. 11\n\nAMB\xe2\x80\x99s Role With GFP\nOIT\xe2\x80\x99s Asset Management Branch (AMB) is responsible for establishing property\nmanagement policies for information technology equipment, including serving as\nthe inventory control point for the acquisition, storage and issuance of information\ntechnology equipment (this includes computers and mobile devices); serves as\nthe utilization coordinator for the reassignment and disposal of information\ntechnology assets; and interfaces with the OAS\xe2\x80\x99 Assistant Property Management\nOfficer regarding all information technology property issues. 12\n\nFurther, AMB is responsible for issuing SEC owned information technology\nproperty items to contract employees and tracking these items. Further, AMB is\nresponsible for identifying what property has been issued to contractors,\ndetermining the location of government issued property, and ensuring the return\nof the government issued property to AMB when the contractor no longer needs\nit or when the contractor no longer works on the contract.\n\nAMB maintains the Configuration Management Database (CMDB), which tracks\nagency-wide information technology equipment (includes GFP) that the SEC\nowns, as well as equipment that is located at the SEC\xe2\x80\x99s regional offices and\nequipment the regional offices issues to its contractors. AMB uses CMDB to\ntrack and monitor all SEC information technology equipment that is not\nconsidered accountable property. 13\n\nOFM\xe2\x80\x99s Role With GFP\nOFM administers the SEC\xe2\x80\x99s financial management and budget functions, and is\nresponsible for accounting policies, procedures, and operations, including\noverseeing the Commission\xe2\x80\x99s internal control procedures to ensure accountability\n\n10\n   FPDS is an automated system for collecting and reporting on federal procurement spending and serves\nas a repository for federal procurement award data, https://www.fpds.gov/downloads/Manuals/FPDS-\nNG_Overview.ppt\n11\n   SECR 10-15 (rev. 1), Acquisitions Contract Administration Positions (Aug. 12, 2009), app. A (rev. Aug. 13,\n2009).\n12\n   SECR 9-2, section 1-5(F).\n13\n   Per the AMB Branch Chief, the CMDB is used to identify information technology equipment when AMB\nconducts agency-wide, wall-to-wall inventories.\nSEC Controls Over GFE and CAP                                                              March 28, 2012\nReport No. 503\n                                                 Page 3\n\x0cfor property and reconciliation of the official property records to the general\nledger control accounts. 14\n\nRegional Office Questionnaire\nTo determine the adequacy of the SEC identifying, issuing, and tracking GFP at\nits regional offices, Castro & Co developed and issued a questionnaire that was\nsent to administrative officers and supervisors at the SEC\xe2\x80\x99s 11 regional offices\nregarding the following:\n\n      \xe2\x80\xa2    Regional Office Location and Personnel \xe2\x80\x93 Names, phone numbers\n           and e-mail addresses of the Property Accountability Officer,\n           Property Custodian Officer, Receiving Official, Administrative\n           Officer, and any other individual associated with GFP.\n      \xe2\x80\xa2    Requisition and Procurement \xe2\x80\x93 Respond to questions associated\n           with the office\xe2\x80\x99s methodology for procuring equipment and\n           contractors, procedures for identifying contracts with GFP items,\n           and procedures for determining whether GFP items were provided\n           to contractors.\n      \xe2\x80\xa2    Receipt of Property Items \xe2\x80\x93 Does the office have a centralized\n           location for the receipt of property items? Does the office have\n           procedures associated with the receipt of property items? Are\n           there procedures pertaining to the distribution of property items to\n           end users?\n      \xe2\x80\xa2    Accountability of Property Items \xe2\x80\x93 Respond to a series of questions\n           related to tracking property items in FAM15 or some other database\n           and the recent inventorying of property items at the regional offices.\n      \xe2\x80\xa2    Other \xe2\x80\x93 What are the office procedures associated with collecting\n           GFP from contractors after the period of performance on a given\n           contract has ended?\n\nWe received responses to our questionnaire from 10 regional offices. However,\nafter repeated requests, the Los Angeles regional office did not respond to the\nquestionnaire.\n\n\n\n\n14\n     SECR 9-2, section 1-5(E).\n15\n     FAM is located in the SEC\xe2\x80\x99s Momentum Accounting System.\nSEC Controls Over GFE and CAP                                             March 28, 2012\nReport No. 503\n                                               Page 4\n\x0cObjectives\nThe overall objective of this audit was to determine whether the SEC has in place\nsufficient management controls over government property held by contractors\nand whether those controls were operating effectively.\n\nCastro & Co\xe2\x80\x99s additional objectives were to determine whether:\n   \xe2\x80\xa2   SEC has reliable records to determine which contractors have\n       received GFP and the dollar value of the assets provided;\n   \xe2\x80\xa2   Contracting Officer Representatives or others responsible for\n       administration of property are properly trained and performing their\n       required duties in accordance with SEC policy;\n   \xe2\x80\xa2   Contractors that were provided GFP by the SEC have performed\n       annual inventories of property in accordance with their contracts\n       and the FAR;\n   \xe2\x80\xa2   The SEC and contractors that were provided GFP by the SEC have\n       adequate policies and procedures for the management and\n       disposal of property, including the sanitization and disposal of\n       information technology property such as media, magnetic tapes,\n       removable media, and hard drives containing sensitive data; and\n   \xe2\x80\xa2   Assets held by contractors are properly accounted for and reported\n       in the SEC\xe2\x80\x99s financial statements.\n\nWhere appropriate Castro & Co also identified areas for improvement.\n\n\n\n\nSEC Controls Over GFE and CAP                                       March 28, 2012\nReport No. 503\n                                     Page 5\n\x0c                Findings and Recommendations\n\nFinding 1: The SEC Could Not Identify the\nUniverse of Property Issued to Contractors\n         OAS and OIT could not identify the universe of property\n         issued to contractors that was designated as GFP, and it has\n         not clearly defined property that is considered GFP. As a\n         result, there is an increased risk that the SEC\xe2\x80\x99s management\n         of GFP is not in compliance with the FAR, and the property\n         will be lost, stolen, or misused.\n\nFrom our review of the SEC property databases (e.g., FAM and AMB\xe2\x80\x99s\nConfiguration Management Database (CMDB)), we could not identify which\nproperty items in the databases that would create the universe of GFP.\nAdditionally, through discussions with OAS, OIT, OFM, Contracting Officers,\nContracting Officer Representatives, and regional office personnel, we\ndetermined that SEC personnel lack a clear understanding of what constitutes\nGFP. The FAR defines GFP as:\n\n         \xe2\x80\x9cGovernment-furnished property\xe2\x80\x9d means property in the\n         possession of, or directly acquired by, the Government and\n         subsequently furnished to the contractor for performance of\n         a contract\xe2\x80\xa6Government-furnished property also includes\n         contractor-acquired property if the contractor-acquired\n         property is a deliverable under a cost contract when\n         accepted by the Government for continued use under the\n         contract. 16\n\nIn its administrative regulations, the SEC does not clearly identify the specific\nproperty items that are considered GFP, or the particular circumstances that are\nneeded for SEC property to meet the FAR definition of GFP.\n\nOur review found that SECR 9-3 indicates \xe2\x80\x9cGovernment Furnished Property is\ndefined in the FAR, Part 45.\xe2\x80\x9d17 However, it does not discuss what specific SEC\nproperty is designated as GFP. In addition, SECR 9-2 does not address GFP\nexcept by stating, \xe2\x80\x9cIt should be noted that government furnished property used by\na contractor off-site is governed by the Federal Acquisition Regulation.\xe2\x80\x9d 18\n\n\n16\n   FAR 45.101, Definitions.\n17\n   SECR 9-3, Report of Survey Program (Mar. 18, 1996), section A(3)(A). SECR 9-3 3 \xe2\x80\x9cprovides criteria\nand procedures for initiating, preparing, and approving reports of survey for SEC property.\xe2\x80\x9d In addition, it\nestablishes criteria for determining an individual\'s financial liability for loss of or damage to SEC property.\n18\n   SECR 9-2, Property Management Program, section 6.2(B).\nSEC Controls Over GFE and CAP                                                                   March 28, 2012\nReport No. 503\n                                                    Page 6\n\x0cResponse to Regional Office Questionnaire. In response to the questionnaire\nwe issued to the SEC\xe2\x80\x99s 11 regional offices, five offices identified contractors they\ndetermined had been issued GFP. These offices indicated the GFP items were\ndesktop computers and monitors that AMB provided to the contractor\xe2\x80\x99s\nemployees. 19 Three regional offices verbally stated they did not have a clear\nunderstanding of what SEC information technology equipment is defined as GFP.\n\nConclusion. OAS and OIT could not identify the universe of GFP that was\nissued to SEC contractors. Further, the SEC has not clearly defined in its\ninternal policies and the SECR, exactly what property is considered to be GFP.\n\nBecause the SEC has not clearly identified the universe of GFP, there is a risk\nthat the SEC may not be in compliance with the FAR Part 45, and property that is\nlost, stolen, or misused may not be detected. We found that some contracts we\nreviewed included sections related to GFP items that were provided in the\ncontract, but OAS later determined that the items did not meet the definition of\nGFP in Part 45. For example, one contract had a section stating, \xe2\x80\x9cGovernment\nFurnished Facilities and Equipment. The SEC shall provide office space and\ncomputers for contractor personnel,\xe2\x80\x9d and the SEC confirmed they do not\nconsider these items to be GFP.\n\n     Recommendation 1:\n\n     The Office of Administrative Services (OAS), in conjunction with the\n     Office of Information Technology (OIT), should revise SECR 9-3,\n     Report of Survey Program and SECR 9-2, Property Management\n     Program, and clearly define property that is designated as Government\n     Furnished Property (GFP). OAS and OIT should further identify in\n     SECR 9-3 and 9-2 the particular circumstances that are needed to\n     meet the GFP requirements in accordance with Part 45 of the Federal\n     Acquisition Regulation.\n\n     Management Comments. OAS and OIT concurred with this\n     recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n     OIG Analysis. We are pleased that OAS and OIT concurred with this\n     recommendation.\n\n\n\n\n19\n  Computers issued to contract personnel are not the type of information technology equipment OAS or OIT\nconsider to be GFP.\nSEC Controls Over GFE and CAP                                                          March 28, 2012\nReport No. 503\n                                               Page 7\n\x0cFinding 2: The Configuration Management\nDatabase Is Not Reliable for Identifying\nInformation Technology Equipment\n       The CMDB, which AMB uses to track and monitor\n       information technology equipment, is not reliable because its\n       controls over the monitoring and tracking of information\n       technology equipment are insufficient and do not ensure that\n       the information in the database is accurate and complete.\n\nTo determine the appropriateness and completeness of the CMDB for tracking\nand identifying information technology equipment, we obtained an FPDS report\nfrom OAS containing all the contracts that were identified as having been issued\nGFP. OAS tracks all SEC contracts in the FPDS and the FPDS has a field that\nContracting Officers can use to identify contracts that are authorized to be issued\nGFP during the contract\xe2\x80\x99s period of performance.\n\nWe then obtained a CMDB report from AMB that identified all information\ntechnology property items that were provided to contractors. To analyze these\nreports, Castro & Co:\n\n       (1) Reviewed the reports for any anomalies;\n       (2) Reconciled the reports by comparing them to determine if\n           contractors on one of the databases were missing from the\n           other;\n       (3) Selected a sample number of contractors from the CMDB listing\n           that were not included on the FPDS report and obtained a copy\n           of the contracts; and\n       (4) Obtained a Momentum report from OFM of all transactions\n           recorded against the \xe2\x80\x9cequipment\xe2\x80\x9d Budget Object Class 31XX, in\n           2010 and 2011.\n\nOur review of the FPDS report and the report from the CMDB identified the\nfollowing discrepancies:\n\n   \xe2\x80\xa2   Certain data fields in the CMDB were inaccurate or incomplete. For\n       example, 31 items in the population of 1,658 information technology\n       assets in the CMDB did not have the required room number for the\n       location of the asset; and three items did not have the required floor\n       number for the asset.\n   \xe2\x80\xa2   An Asset Tag number was listed twice in the CMDB.\n   \xe2\x80\xa2   A significant number of Blackberries being held for stock were\n       wrongly assigned to a contract employee in the CMDB.\n   \xe2\x80\xa2   The FPDS report identified 42 contractors with GFP and the CMDB\n       showed 110 contractors had GFP. We determined that 74\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page 8\n\x0c         contractors on the CMDB report were not included in the FPDS\n         report.\n     \xe2\x80\xa2   We were unable to determine if 11 of the 110 contractors in the\n         CMDB report had active contracts with SEC because contract\n         numbers are not included in the CMDB and therefore could not be\n         tracked.\n\nBased on our analysis, we determined that the information in the CMDB was\nunreliable because the database contained erroneous information.\n\nPast Problems Associated With Updating the CMDB. AMB has not\nconducted a wall-to-wall inventory of SEC information technology equipment\nsince 2009. The AMB Branch Chief informed Castro & Co that during the 2009\ninventory, server problems interfered with loading inventory data into the CMDB\ncorrectly, and the contractor responsible for conducting the inventory spent\napproximately a year trying to correct the issues, which caused delays in\nperforming the next scheduled equipment inventory. He further relayed that as a\nresult, AMB did not start to plan the next wall-to-wall inventory until the third\nquarter of fiscal year 2010. As a result, he acknowledged that the data in the\nCMDB is not current.\n\nFurther AMB\xe2\x80\x99s Branch Chief told us that OIT\xe2\x80\x99s \xe2\x80\x9cTier II 20\xe2\x80\x9d technicians neglected to\nupdate the CMDB when they issued new equipment to contractors.\n\nAssessment of the CMDB\xe2\x80\x99s Controls. In Castro & Co\xe2\x80\x99s questionnaire, five\nregional offices stated they had issued information technology equipment to\ncontractors; however, only one of the offices maintained a listing of the\nequipment. We attempted to trace all items identified on this particular regional\noffice\xe2\x80\x99s list, to the CMDB to determine if AMB properly tracked the items and\nfound that some if the information technology equipment was not in the CMDB.\n\nAMB did not have proper policies and procedures related to the accountability for\ninformation technology equipment, including GFP in the CMDB. AMB also did\nnot have policies and procedures for coordinating with the Contracting Officer\nRepresentatives or other Property Accountability Officers, as designated in the\ncontract, to ensure that GFP items are properly returned to OIT when for\nexample, the contractor no longer needs the item, the contractor no longer works\nfor the vendor or in the area requiring equipment, or when the period of\nperformance on the contract ends.\n\nFour staff in the regional offices informed Castro & Co that they did not have a\nclear understanding of the procedures they should follow when a contract\nemployee who was issued GFP either no longer works on the contract or when\nthe period of performance on the contract ends. Therefore, there is a risk that\n20\n  AMB\xe2\x80\x99s \xe2\x80\x9cTier II\xe2\x80\x9d technicians are contractors who are managed by OIT\xe2\x80\x99s Technical Assistance Center\nBranch.\nSEC Controls Over GFE and CAP                                                          March 28, 2012\nReport No. 503\n                                               Page 9\n\x0cproperty items AMB provided to contractors may have been transferred to\nanother contractor or SEC employee without being properly tracked.\n\nConclusion. The CMDB was unreliable due to missing data fields, the data\nbeing unreliable, and not utilized fully by staff, and we could not trace the\nassignment of certain information technology equipment to specific contracts or\nindividuals. Therefore, if equipment was lost, stolen, or was not returned to the\nagency, the SEC would have a difficult time identifying the contractor and or\nindividual who was responsible for the equipment. AMB is not complying with\nSECR 9-2, Section 1-1, Purpose, which states, \xe2\x80\x9cThis Property Management\nRegulation prescribes procedures to ensure that public assets under the SEC\ncustody are effectively and efficiently managed and controlled. Implementation\nof logistical and financial accountability and controls will enable the SEC\nresource managers to maximize the taxpayers\xe2\x80\x99 investment in government\nproperty by preventing unnecessary acquisitions, promoting effective use of\nexisting assets, and attaining optimum return by systematic disposal of unneeded\nequipment.\xe2\x80\x9d21\n\n       Recommendation 2:\n\n       The Office of Information Technology (OIT) should revise its policy to specify\n       how often the office will conduct wall-to-wall inventories of the Securities and\n       Exchange Commission\xe2\x80\x99s information technology equipment and how\n       frequently the Configuration Management Database (CMDB) should be\n       updated. In performing the inventories, OIT should ensure that:\n\n           \xe2\x80\xa2   All relevant fields related to asset management in the CMDB are\n               accurate and properly completed, including verifying that\n               individuals using the property items are properly identified within\n               the database;\n           \xe2\x80\xa2   Equipment in regional offices is included in the wall-to-wall\n               inventory; and\n           \xe2\x80\xa2   Fields in the CMDB that capture contract numbers and contract\n               expiration dates using the Active Directory.\n\n       Management Comments. OIT concurred with this recommendation. See\n       Appendix V for management\xe2\x80\x99s full comments.\n\n       OIG Analysis. We are pleased that OIT concurred with this\n       recommendation.\n\n\n\n\n21\n     SEC Administrative Regulation, SECR 9-2, Property Management Program, Section 1.1.\nSEC Controls Over GFE and CAP                                                             March 28, 2012\nReport No. 503\n                                               Page 10\n\x0c   Recommendation 3:\n\n   The Office of Information Technology (OIT) should coordinate with the\n   Contracting Officer Representative or other Property Accountability Officer, as\n   designated in the contract, to ensure that government issued property items\n   are properly returned to the OIT and the items are promptly removed from the\n   Configuration Management Database when the contractor is no longer using\n   it or when the contract is no longer active.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation.\n\n   Recommendation 4:\n\n   The Office of Information Technology (OIT) should develop and implement\n   procedures for monitoring information technology equipment at the regional\n   offices that is communicated to appropriate personnel. These procedures\n   should include the regional office\xe2\x80\x99s roles in monitoring information technology\n   equipment issued to contractors, including their responsibilities when a\n   contractor employee exits a contract or when the equipment is moved to a\n   new location.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation.\n\n\n\n\nSEC Controls Over GFE and CAP                                        March 28, 2012\nReport No. 503\n                                    Page 11\n\x0cFinding 3: OIT Has Not Conducted Timely\nInventory of the SEC\xe2\x80\x99s Information Technology\nEquipment and Lacks Up-to-Date Information\nTechnology Equipment Policies and Procedures\n       AMB has not appropriately inventoried the SEC information\n       technology equipment, including information technology\n       equipment provided to contractors. In addition, AMB does\n       not have up-to-date policies and procedures to ensure that\n       information technology equipment, including GFP, is\n       accounted for effectively. As a result, the risk is increased\n       that such equipment could be lost, stolen, misused and that\n       the loss, theft, or misuse could go undetected.\n\nOIT Has Not Conducted Timely Inventory of the SEC\xe2\x80\x99s\nInformation Technology Equipment\nAs previously mentioned, AMB has not conducted a wall-to-wall inventory of the\nSEC\xe2\x80\x99s information technology equipment since 2009. The AMB Branch Chief\ninformed Castro & Co that during the 2009 inventory, server problems interfered\nwith loading inventory data into the CMDB correctly, and the contractor\nresponsible for conducting the inventory spent approximately a year trying to\ncorrect the issues, which caused delays in performing the next scheduled\nequipment inventory. In February 2012, AMB initiated an agency-wide, wall-to-\nwall inventory of the SEC\xe2\x80\x99s information technology equipment. AMB says the\noffice will now conduct an inventory every two years, hereafter. AMB\xe2\x80\x99s\ninventories will obtain the following information for each property item\ninventoried, including GFP, if applicable:\n\n   \xe2\x80\xa2   Name of Employee/Contractor to whom the equipment is assigned\n   \xe2\x80\xa2   Equipment Serial Number\n   \xe2\x80\xa2   Office Number and Floor where equipment is located\n   \xe2\x80\xa2   Office Location (Headquarters, regional office, etc.)\n   \xe2\x80\xa2   Asset Sub Class (e.g., monitors, desktops, laptops)\n\nThe Government Accountability Office (GAO) identified a number of best\npractices in performing an inventory of property, including the following key\nfactors for achieving consistent and accurate counts of physical inventories:\n\n   \xe2\x80\xa2   Establish Accountability\n   \xe2\x80\xa2   Establish Written Policies\n   \xe2\x80\xa2   Select an Approach\n   \xe2\x80\xa2   Determine Frequency of Counts\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                     Page 12\n\x0c     \xe2\x80\xa2   Maintain Segregation of Duties\n     \xe2\x80\xa2   Enlist Knowledgeable Staff\n     \xe2\x80\xa2   Provide Adequate Supervision\n     \xe2\x80\xa2   Perform Blind Counts\n     \xe2\x80\xa2   Ensure Completeness of the Count\n     \xe2\x80\xa2   Execute Physical Count\n     \xe2\x80\xa2   Perform Research\n     \xe2\x80\xa2   Evaluate Count Results 22\n\nThe GAO Executive Guide presents processes and controls that private sector\ncompanies use and recognize as excelling in their ability to manage inventory\nand achieve consistent and accurate counts of physical inventories.\n\nSince the SEC has not performed timely inventories of information technology\nequipment, they are not able to accurately identify a complete universe of\ninformation technology equipment.\n\nAMB Property Management Policies. AMB has not developed up-to-date\nproperty management policies for the SEC\xe2\x80\x99s information technology equipment.\nThe AMB Branch Chief, who joined the SEC during the summer of 2011, said\nthat his major focus had been on updating outdated procedures related to\nmonitoring and developing a plan to conduct a wall-to-wall inventory of the SEC\xe2\x80\x99s\ninformation technology equipment. Because AMB did not have up-to-date\npolicies and procedures, there were not adequate controls in place related to the\naccountability of information technology equipment.\n\nConclusion. Because it did not conduct a timely wall-to-wall inventory of the\nSEC information technology equipment and has not established or implemented\nup-to-date policies and procedures to ensure information technology equipment\ncan be effectively accounted for, AMB is not complying with SECR 9-2, or\nfulfilling the purpose of the regulation, which is to ensure that \xe2\x80\x9cpublic assets\nunder the SEC custody are effectively and efficiently managed and controlled.\xe2\x80\x9d 23\n\n     Recommendation 5:\n\n     The Office of Information Technology (OIT) should revise its policies and\n     procedures to establish clear accountability within the Asset Management\n     Branch that is associated with properly tracking and monitoring information\n     technology equipment, including documenting the issuance and receipt of\n     information technology equipment to specific Commission contractors.\n\n\n\n22\n   Government Accountability Office, Executive Guide - Best Practices in Achieving Consistent, Accurate\nPhysical Counts of Inventory and Related Property, GAO-02-447G (Mar. 1, 2002), at 12.\nhttp://www.gao.gov/new.items/d02447g.pdf.\n23\n   SECR 9-2, section 1.1.\nSEC Controls Over GFE and CAP                                                            March 28, 2012\nReport No. 503\n                                               Page 13\n\x0c   Management Comments. OIT concurred with this recommendation. See\n   Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation.\n\n   Recommendation 6:\n\n   When the Office of Information Technology completes the 2012, wall-to-wall\n   inventory of information technology equipment, it should use this information\n   to establish a baseline of the equipment in the Configuration Management\n   Database.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation.\n\n\nFinding 4: Contracting Officers, Contract\nSpecialists, and Contracting Officer\nRepresentatives Have Not Received Adequate\nTraining Related to Government Furnished\nProperty\n   Contracting Officers, Contract Specialists, and Contracting\n   Officer Representatives are not properly trained regarding their\n   GFP responsibilities. As a result, sections in awarded contracts\n   included language stating the contractor was issued GFP, such\n   as a SEC computer desktop or a monitor.               In addition,\n   Contracting Officers and Contracting Officer Representatives do\n   not fully know their responsibilities related to GFP.\n\nContracting Officer and Contract Specialist Responsibilities\nRelated to GFP\nAs discussed in Finding 1, Castro & Co obtained a FPDS report from OAS that\nidentified contracts that had GFP. We then got a CMDB report from AMB that\nidentified contractors who had been issued GFP and compared the two reports.\nThe FPDS report identified 42 contractors that had GFP and the CMDB report\nidentified 110 contractors that had GFP. We initially determined that 86\ncontractors on the CMDB report that were not included on the FPDS report.\n\nSEC Controls Over GFE and CAP                                           March 28, 2012\nReport No. 503\n                                    Page 14\n\x0cHowever, we determined six contractors were repeated twice and three contracts\nwere on the report three times. After removing the duplicate entries, we\ndetermined that 74 contractors remained on the CMDB report, were not on the\nFPDS report.\n\nWe selected a sample of 30 contractors from the list of 74 contractors on the\nCMDB report and reviewed the associated contracts to determine if the contracts\nincluded\n\n       \xe2\x80\xa2   A section stating the contractor would be issued GFP; and\n       \xe2\x80\xa2   FAR 52.245-1 (as required by FAR 45.107). 24\n\nTen out of the 30 contracts in our sample included a section in the contract\nindicating the contractor would be provided GFP. For example, one contract\ncontained a contained the following language:\n\n           \xe2\x80\x9cGovernment Furnished Facilities and Equipment. The SEC\n           shall provide office space and computers for contractor\n           personnel.\xe2\x80\x9d\n\nBoth OAS and OIT informed us that computers issued to contract personnel are\nnot the type of information technology equipment it considers to be GFP. These\nare standard equipment that is issued to most contractors (depending on need)\nand it does not leave the SEC\xe2\x80\x99s work sites. Therefore, we determined that the\nGFP section should not have been included in the contracts. OAS and OIT staff\nstated the GFP section was included in the contracts by Contracting Officers and\nContract Specialists who did not have a clear understanding of what SEC defines\nas GFP. Additionally, Contracting Officers and Contract Specialists tend to use\nold Statement of Works to develop templates to develop new contract\nrequirements that have the GFP sections already included in it.\n\nContracting Officer Representatives Responsibilities Related to\nGFP\nWe judgmentally selected 15 contractors from the list of property items in the\nCMDB and requested names for the Contracting Officer Representatives that\nwere associated with the contracts, from the Office of Acquisitions. We\ninterviewed all but one Contracting Officer Representatives, who was from the\nOffice of Human Resources, and did not respond to our e-mail and telephone\nrequests for an interview.\n\nBased on the interviews we conducted, Castro & Co found that Contracting\nOfficer Representatives are confused about the definition of GFP and their\nresponsibilities for monitoring GFP, including whether procedures exist for\n\n24\n     Federal Acquisition Regulation Part 45 \xe2\x80\x93 Government Property, Section 45.107, Contract Clauses.\nSEC Controls Over GFE and CAP                                                             March 28, 2012\nReport No. 503\n                                                 Page 15\n\x0cassigning GFP to contractors and collecting GFP when a contract employee exits\na contract. The majority of Contracting Officer Representatives believe they are\nnot responsible for tracking property that is issued to contractors because they\nbelieve it is AMB\xe2\x80\x99s responsibility. However, SECR 10-15 states that Contracting\nOfficer Representatives\xe2\x80\x99 responsibilities and duties include ensuring GFP, as\nspecified in the contract, is available when required, and for reporting any\naccountable property to the appropriate personnel. 25\n\nContracting Officer Representatives Training. The Contracting Officer\nRepresentatives indicated they are required to complete 40 hours of training\nevery two years to maintain their certification. OAS regularly provides the\nContracting Officer Representatives with suggested courses in e-mails and they\nalso remind them of their recertification requirements.\n\nThere are three levels of Contracting Officer Representatives designation, each\nwith different training and experience requirements:\n\n     1. Level I \xe2\x80\x93 Level I Contracting Officer Representatives are required\n        to complete eight hours of training and are not required to have\n        previous experience. This designation is generally appropriate for\n        low-risk contract vehicles, such as supply and order contracts.\n\n     2. Level II \xe2\x80\x93 Level II Contracting Officer Representatives are required\n        to complete 40 hours of training and must have two years of\n        previous Contracting Officer Representatives experience. This\n        designation is generally appropriate for contract vehicles of\n        moderate to high complexity, including both supply and service\n        contracts. Level II Contracting Officer Representatives may also be\n        called upon to perform general project management activities.\n\n     3. Level III \xe2\x80\x93 Level III Contracting Officer Representatives, are\n        required to complete 60 hours of training every two years, and must\n        have experience on contracts of moderate to high complexity that\n        require significant acquisition investment. Level III Contracting\n        Officer Representatives are the most experienced Contracting\n        Officer Representatives should be assigned the most complex and\n        mission-critical contracts. These Contracting Officer\n        Representatives are often called upon to perform significant\n        program management activities. 26\n\nWe conducted interviews with the SEC University personnel to identify available\ntraining that is related to property management. The SEC University sends out\n25\n   SECR 10-5, app. A.\n26\n   Office of Management and Budget, Memorandum for Chief Acquisition Officers, Senior Procurement\nExecutives: Revisions to the Federal Acquisition Certification for Contracting Officer\xe2\x80\x99s Representatives\n(FAC-COR) (Sept. 6, 2011), at 2, http://www.whitehouse.gov/sites/default/files/omb/procurement/revisions-\nto-the-federal-acquisition-certification-for-contracting-officers-representatives.pdf.\nSEC Controls Over GFE and CAP                                                            March 28, 2012\nReport No. 503\n                                               Page 16\n\x0cagency-wide emails about Contracting Officer Representatives training and is the\nprimary SEC office responsible for developing and administering courses that\nContracting Officer Representatives can take to obtain their Level I to Level III\nrecertification. The SEC University offers various courses Contracting Officer\nRepresentatives can take to maintain their certifications. Our review of the\ntraining courses found that the current courses do not address the role of\nContracting Officer Representatives who oversee contracts with GFP. Currently,\nthe SEC University offers a \xe2\x80\x9cPutting it All Together\xe2\x80\x9d course for Contracting Officer\nRepresentatives that covers procurement procedures and includes a panel\ndiscussion with active SEC Contracting Officers and Contracting Officer\nRepresentatives. The SEC University personnel stated that a new \xe2\x80\x9cPutting it All\nTogether\xe2\x80\x9d or \xe2\x80\x9cWebinar\xe2\x80\x9d course could be developed that addresses GFP\nrequirements. Such a course could also include a panel discussion with property\nexperts, including representatives from AMB.\n\nBecause Contracting Officers, Contract Specialists and Contracting Officer\nRepresentatives do not have a clear understanding of what is or is not GFP, SEC\ncontracts may erroneously include or exclude GFP clauses. Further, because\nContracting Officers, Contract Specialists, and Contracting Officer\nRepresentatives do not know what their responsibilities related to GFP. Finally,\nGFP currently is not being properly accounted for, tracked, and monitored.\n\n   Recommendation 7:\n\n   The Office of Administrative Services, in conjunction with the Office of\n   Information Technology, should develop periodic training for Contracting\n   Officers, Contract Specialists, and Contracting Officer Representatives that\n   clearly defines and addresses their responsibilities related to government\n   furnished property consistent with Part 45 of the Federal Acquisition\n   Regulation, Government Property and SECR 9-2, Property Management\n   Program.\n\n   Management Comments. OAS and OIT concurred with this\n   recommendation. See Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OAS and OIT concurred with this\n   recommendation.\n\n\n\n\nSEC Controls Over GFE and CAP                                         March 28, 2012\nReport No. 503\n                                     Page 17\n\x0c   Recommendation 8:\n\n   The Office of Administrative Services should ensure when the Securities and\n   Exchange Commission issues Government Furnished Property to\n   contractors, the Contracting Officer (and where appropriate the Contract\n   Specialist), includes language in the contract that specifies:\n\n      \xe2\x80\xa2   The name of the equipment,\n      \xe2\x80\xa2   What equipment will be retained, disposed of, or returned to the\n          government,\n      \xe2\x80\xa2   When the equipment will be disposed of or returned to the\n          government, and\n      \xe2\x80\xa2   Who can accept the returned equipment.\n\n   Management Comments. OAS concurred with this recommendation.\n   See Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OAS concurred with this\n   recommendation.\n\n   Recommendation 9:\n\n   The Office of Information Technology should issue Government Furnished\n   Property to contractors only after it obtains proof that the vendor\xe2\x80\x99s contract\n   has language authorizing the contractor to receive the equipment.\n\n   Management Comments. OIT concurred with this recommendation. See\n   Appendix V for management\xe2\x80\x99s full comments.\n\n   OIG Analysis. We are pleased that OIT concurred with this\n   recommendation.\n\n\n\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                     Page 18\n\x0c                                                                  Appendix I\n\n\n                                Abbreviations\n\nAMB                               Asset Management Branch\nCAP                               Contractor Acquired Property\nCastro & Co                       Castro & Company, LLC\nCMDB                              Configuration Management Database\nCOSO                              Committee of Sponsoring Organizations\n                                   of the Treadway Commission\nFAM                               Fixed Asset Module\nFAR                               Federal Acquisition Regulation\nFPDS                              Federal Procurement Data System\nGAO                               Government Accountability Office\nGFE                               Government Furnished Equipment\nGFP                               Government Furnished Property\nOAS                               Office of Administrative Services\nOFM                               Office of Financial Management\nOIG                               Office of Inspector General\nOIT                               Office of Information Technology\nOMB                               Office of Management and Budget\nSEC or Commission                 U.S. Securities and Exchange Commission\nSECR                              SEC Administrative Regulation\n\n\n\n\nSEC Controls Over GFE and CAP                                    March 28, 2012\nReport No. 503\n                                    Page 19\n\x0c                                                                       Appendix II\n\n\n                     Scope and Methodology\n\nAs part of the OIG\xe2\x80\x99s annual audit plan, Castro & Co conducted an audit of\nmanagement controls over the SEC\xe2\x80\x99s GFP.\n\nCastro & Co conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objectives.\n\nScope. The OIG contracted with Castro & Co to conduct a performance audit to\nidentify potential areas for improvement with regard to the Commission\xe2\x80\x99s GFP.\nThe overall objective of the audit was to determine whether sufficient\nmanagement controls over government property held by contractors were in\nplace and operating effectively. The scope of our audit covered GFP acquired\nfrom fiscal year 2007 through fiscal year 2011, and included examining:\n\n       \xe2\x80\xa2   The Commission\xe2\x80\x99s processes for managing and accounting for\n           GFP, and\n       \xe2\x80\xa2   The policies and procedures in place to ensure the proper\n           management of and accountability for GFP.\n\nCastro & Co conducted its fieldwork from October 2011 through January 2012.\nThe scope of our audit further included the SEC\xe2\x80\x99s Headquarters site in\nWashington, D.C., the Operations Center in Alexandria, VA, and its 11 regional\noffices that are located throughout the country.\n\nMethodology. To accomplish the audit\xe2\x80\x99s objectives, Castro & Co\xe2\x80\x99s fieldwork\nincluded the following:\n\n   \xe2\x80\xa2   To gain an understanding of the GFP\xe2\x80\x99s we reviewed SEC\xe2\x80\x99s\n       regulations and policies and procedures pertaining to property\n       management and management of and accountability for GFP and\n       information technology equipment.\n\n   \xe2\x80\xa2   We reviewed relevant federal laws, regulations, and guidance;\n\n   \xe2\x80\xa2   Reviewed OIG issued reports related to GFP or accountability for\n       information technology equipment to determine the impact of their\n       findings on our audit procedures and to determine the status of\n       applicable recommendations.\n\nSEC Controls Over GFE and CAP                                       March 28, 2012\nReport No. 503\n                                    Page 20\n\x0c                                                                                       Appendix II\n\n\n     \xe2\x80\xa2   Reviewed reports issued by other federal agencies related to GFP\n         and accountability for information technology equipment, to\n         determine whether any issues in these reports were applicable to\n         the scope of our audit.\n\n     \xe2\x80\xa2   Conducted interviews with select personnel who had\n         responsibilities related to SEC property and contracts management,\n         including: personnel from OAS, OIT, OFM; contracting officers;\n         Contracting Officer Representatives; contractors; and regional\n         office personnel. We also conducted interviews with the SEC\n         University staff to determine specific training requirements related\n         to property management that are available to SEC employees.\n\n     \xe2\x80\xa2   Developed, administered, and analyzed the results of a\n         questionnaire that was directed to SEC\xe2\x80\x99s regional offices to\n         determine the adequacy of their identification, issuance, and\n         tracking processes for GFP.\n\n     \xe2\x80\xa2   Obtained, reviewed and analyzed contracts to determine whether\n         they included GFP language.\n\n     \xe2\x80\xa2   Identified areas in which improvements could be made.\n\nInternal Controls. Internal Control \xe2\x80\x93 Integrated Framework, published by the\nCommittee of Sponsoring Organizations of the Treadway Commission (COSO),\nprovides a framework for organizations to design, implement, and evaluate\ncontrols that facilitate compliance with federal laws, regulations, and program\ncompliance requirements. 27 For this audit, we based our assessment of internal\ncontrols related to the accountability and management of GFP that were\nsignificant to the audit objectives on the COSO framework, including control\nenvironment, control activities, information and communication, and monitoring.\n\nWe reviewed the management control activities as they pertained to the audit\xe2\x80\x99s\nobjectives and assessed the design effectiveness of key controls over GFP.\nAmong the internal controls we assessed to determine whether they were\nproperly designed and implemented, were OAS, OIT, and OFM\xe2\x80\x99s controls and\npolicies and procedures related to the accountability and management of GFP.\nTo facilitate our understanding of applicable GFP process controls, we reviewed\ninformation in organization charts, current policies and procedures, fiscal year\n2010 GAO Financial Statement Audit Property and Equipment Cycle\nMemorandum, and systems used to track and monitor property and equipment,\nincluding GFP. We met with appropriate staff from OAS, OIT, and OFM to gain\nan understanding of the controls surrounding property and equipment items they\nmanage, including GFP, if applicable. Additionally, to determine the adequacy of\n27\n  Committee of Sponsoring Organizations of the Treadway Commission, Internal Control-Integrated\nFramework (1992), http://www.coso.org/guidance.htm.\nSEC Controls Over GFE and CAP                                                         March 28, 2012\nReport No. 503\n                                              Page 21\n\x0c                                                                       Appendix II\n\n\nthe controls over the identification, issuance and tracking process of GFP at the\nSEC regional offices, we developed a questionnaire that was submitted to the\nSEC\xe2\x80\x99s 11 regional offices.\n\nJudgmental Sampling. Castro & Co employed a judgmental sampling\nmethodology for performing this audit. Judgmental sample sizes were\ndetermined after giving consideration to the frequency of the control, significance\nof the control, inherent risk, and professional judgment.\n\nWe judgmentally selected 30 contracts from a list of 74 active contracts OAS\nprovided, where the Contracting Officer initially identified the contractor was\nprovided GFP. We reviewed these contracts to determine whether they properly\nidentified GFP.\n\nFurther, we judgmentally selected 80 contracts from a Momentum report OFM\nprovided that contained 110 contracts that had transactions that were charged to\nthe equipment Budget Object Class 31XX, for the period of October 1, 2009\nthrough September 30, 2011. The supporting contracts were reviewed to\ndetermine whether they properly identified GFP.\n\nFurther, we judgmentally selected 15 Contracting Officer Representatives from\nthe SEC\xe2\x80\x99s approximate 59 Contracting Officer Representatives to interview.\nThese Contracting Officer Representatives were selected from a list we were\nprovided that showed the Contracting Officer Representatives was assigned\ninformation technology equipment. We interviewed the Contracting Officer\nRepresentatives because they responsible for the administration of property and\nto determine whether they were properly trained and were performing their\nrequired duties in accordance with the SEC policy.\n\nBecause we did not use statistical sampling techniques, we did not try to project\nthe results of the items reviewed in our samples to the entire population.\n\nPrior Audit Coverage. SEC OIG Controls Over Laptops, Inspection Report No.\n441, issued March 31, 2008, found weaknesses in the SEC\xe2\x80\x99s inventory and\ncontrol of laptop computers. While OAS and OIT implemented most of the\nrecommendations identified in the report, Recommendations C and D, which are\nrelated to this audit, have not been closed.\n\nRecommendation C has not been addressed. OIT indicated it will address\nRecommendations C when AMB completes its wall-to-wall inventory of\ninformation technology equipment, which includes laptops. OIT informed us that\nRecommendation D has not been completely addressed. AMB has not yet\nrevised its procedures to establish clear accountability for laptops and it has not\nestablished procedures to document the issuance of equipment to a specific SEC\nemployees or the receipt of equipment from SEC employees. AMB informed\n\n\nSEC Controls Over GFE and CAP                                         March 28, 2012\nReport No. 503\n                                     Page 22\n\x0c                                                                     Appendix II\n\n\nCastro & Co they are currently in the process of updating their procedures to\naddress these requirements.\n\n\n\n\nSEC Controls Over GFE and CAP                                       March 28, 2012\nReport No. 503\n                                    Page 23\n\x0c                                                                       Appendix III\n\n\n                                    Criteria\n\nFAR Part 45, Government Property. Prescribes policies and procedures for\nproviding government property to contractors, contractors\xe2\x80\x99 management and use\nof government property, and reporting, redistributing, and disposing of contractor\ninventory. FAR 45.107, Contract clauses, requires that FAR 52.245-1 be\ninserted in its entirety in contracts where the government provides contractors\nwith GFE or directs them to acquire property to which the government has title for\nuse under the contract.\n\nSECR 9-2, Property Management Program, March 16, 2009. Prescribes\npolicies and procedures governing the development, administration, application,\nand oversight of the SEC personal property management program and applies to\npersonal property purchased or leased by the SEC.\n\nSECR 9-3, Report of Survey Program, March 18, 1996. Prescribes policies,\nprocedures, and standards that govern the SEC\'s Report of Survey Program. It\nprovides criteria and procedures for initiating, preparing, and approving reports of\nsurvey for SEC property and establishes criteria for determining an individual\'s\nfinancial liability for loss of or damage to SEC-owned or -controlled property.\n\nSECR 10-15 (Rev. 1), Acquisitions Contract Administration Positions\n(August 12, 2009). Establishes uniform policies and procedures for the\nappointment, termination, and responsibilities of Contracting Officer\nRepresentatives and other contract administration positions at the SEC.\n\nGovernment Accountability Office, Executive Guide: Best Practices in\nAchieving Consistent, Accurate Physical Counts of Inventory and Related\nProperty, GAO-02-447G, March 2002. Describes fundamental practices and\nprocedures used in the private sector to achieve consistent and accurate\nphysical counts; summarizes fundamental principles successfully implemented\nby companies recognized for outstanding inventory management; and explains\nand describes leading practices from which the federal government might draw\nlessons and ideas.\n\n\n\n\nSEC Controls Over GFE and CAP                                         March 28, 2012\nReport No. 503\n                                     Page 24\n\x0c                                                                       Appendix III\n\n\nOffice of Management and Budget, Memorandum for Chief Acquisition\nOfficers Senior Procurement Executives: Revisions to the Federal\nAcquisition Certification for Contracting Officer Representatives (FAC-\nCOR), September 6, 2011. Prescribes revisions to the federal acquisition\ncertification for Contracting Officer Representatives, including requirements for\ncertification, recertification, and a new title for the position formerly known as\ncontracting officer technical representatives.\n\nCommittee of Sponsoring Organizations of the Treadway Commission,\nInternal Control\xe2\x80\x94Integrated Framework, 1992. Provides principles-based\nguidance for designing and implementing effective internal controls,\n\n\n\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page 25\n\x0c                                                                      Appendix IV\n\n\n                    List of Recommendations\n\nRecommendation 1:\n\nThe Office of Administrative Services (OAS), in conjunction with the Office of\nInformation Technology (OIT), should revise SECR 9-3, Report of Survey\nProgram and SECR 9-2, Property Management Program, and clearly define\nproperty that is designated as Government Furnished Property (GFP). OAS and\nOIT should further identify in SECR 9-3 and 9-2 the particular circumstances that\nare needed to meet the GFP requirements in accordance with Part 45 of the\nFederal Acquisition Regulation.\n\nRecommendation 2:\n\nThe Office of Information Technology (OIT) should revise its policy to specify how\noften the office will conduct wall-to-wall inventories of the Securities and\nExchange Commission\xe2\x80\x99s information technology equipment and how frequently\nthe Configuration Management Database (CMDB) should be updated. In\nperforming the inventories, OIT should ensure that:\n\n      \xe2\x80\xa2   All relevant fields related to asset management in the CMDB are\n          accurate and properly completed, including verifying that\n          individuals using the property items are properly identified within\n          the database;\n      \xe2\x80\xa2   Equipment in regional offices is included in the wall-to-wall\n          inventory; and\n      \xe2\x80\xa2   Fields in the CMDB that capture contract numbers and contract\n          expiration dates using the Active Directory.\n\nRecommendation 3:\n\nThe Office of Information Technology (OIT) should coordinate with the\nContracting Officer Representative or other Property Accountability Officer, as\ndesignated in the contract, to ensure that government issued property items are\nproperly returned to the OIT and the items are promptly removed from the\nConfiguration Management Database when the contractor is no longer using it or\nwhen the contract is no longer active.\n\n\n\n\nSEC Controls Over GFE and CAP                                         March 28, 2012\nReport No. 503\n                                     Page 26\n\x0c                                                                     Appendix IV\n\n\nRecommendation 4:\n\nThe Office of Information Technology (OIT) should develop and implement\nprocedures for monitoring information technology equipment at the regional\noffices that is communicated to appropriate personnel. These procedures should\ninclude the regional office\xe2\x80\x99s roles in monitoring information technology equipment\nissued to contractors, including their responsibilities when a contractor employee\nexits a contract or when the equipment is moved to a new location.\n\nRecommendation 5:\n\nThe Office of Information Technology (OIT) should revise its policies and\nprocedures to establish clear accountability within the Asset Management Branch\nthat is associated with properly tracking and monitoring information technology\nequipment, including documenting the issuance and receipt of information\ntechnology equipment to specific Commission contractors.\n\nRecommendation 6:\n\nWhen the Office of Information Technology completes the 2012, wall-to-wall\ninventory of information technology equipment, it should use this information to\nestablish a baseline of the equipment in the Configuration Management\nDatabase.\n\nRecommendation 7:\n\nThe Office of Administrative Services, in conjunction with the Office of\nInformation Technology, should develop periodic training for Contracting Officers,\nContract Specialists, and Contracting Officer Representatives that clearly defines\nand addresses their responsibilities related to government furnished property\nconsistent with Part 45 of the Federal Acquisition Regulation, Government\nProperty and SECR 9-2, Property Management Program.\n\n\n\n\nSEC Controls Over GFE and CAP                                        March 28, 2012\nReport No. 503\n                                     Page 27\n\x0c                                                                       Appendix IV\n\n\nRecommendation 8:\n\nThe Office of Administrative Services should ensure when the Securities and\nExchange Commission issues Government Furnished Property to contractors,\nthe Contracting Officer (and where appropriate the Contract Specialist), includes\nlanguage in the contract that specifies:\n\n       \xe2\x80\xa2   The name of the equipment,\n       \xe2\x80\xa2   What equipment will be retained, disposed of, or returned to the\n           government,\n       \xe2\x80\xa2   When the equipment will be disposed of or returned to the\n           government, and\n       \xe2\x80\xa2   Who can accept the returned equipment.\n\nRecommendation 9:\n\nThe Office of Information Technology should issue Government Furnished\nProperty to contractors only after it obtains proof that the vendor\xe2\x80\x99s contract has\nlanguage authorizing the contractor to receive the equipment.\n\n\n\n\nSEC Controls Over GFE and CAP                                          March 28, 2012\nReport No. 503\n                                      Page 28\n\x0c                                                                             Appendix V\n\n\n                      Management Comments\n\n\n\n\n                                   MEMORANDUM\n\n\nTO:          Jacqueline Wilson, Assistant Inspector General for Audits, Office of\n             Inspector General                                      0\n\nFROM:        Jayne L. Seidman, Acting Director\n\nSUBJECT:     SEC\'s Controls Over Govemment Fumlshed Equipment and Contractor\n             Acquimd Property, Report No. 503\n\nDATE:        March 23,2012\n\nThis memorandum is in response to the Office of Inspector General\'s (DIG) Draft\nReport No. 503, titled SEC\'s Controls Over Govemment Fumished Equipment and\nContractor Acquired Property. Thank you for the opportunity to review and respond to\nthis report.                                                                  .\n\nOIG Recommendation 1. The Offlce of Administrative Services (OAS), in conjunction\nwith the Offlce of Informat/on Technology (011), should revise SECR 9-3, Report of\nSurvey Program and SEeR 9-2, Property Management Program, and clearly define\nproperty that is designated as Govemment Fumished Property (GFP). OAS and OIT\nshould further identify in SECR 9-3 and 9-2 the particular circumstances that are\nneeded to meet the GFP requirements in accordance with Part 45 of the Federal\nAcquisition Regulation (FAR).                                                     .\n\nThe Office of Administrative Services (DAS) concurs. DAS will coordinate with OIT in\nrevising SECR 9-3, Report of Survey Program and SECR 9-2, Property Management\nProgram to incorporate the definition of Govemment Fumished Property and clarify that\nthe requirements of FAR Part 45 do not apply to\n\n   (1) Govemment property provided under any statutory leasing authority, except as to\n       non-govemment use of property under FAR 45.301 (f);\n   (2) Property to which the govemment has acquired a lien or title solely because of\n       partial, advance, progress, or perfOrT!lance based payments;\n   (3) Disposal of real property;\n   (4) Software and intellectual property; or\n   (5) Govemment property that Is incidental to the place of performance, when the\n       contract requires contractor personnel to be located on a govemment site or\n       Installation, and when the property used by the contractor within the location\n       remains accountable to the government. Hems considered to be incidental to the\n       place of performance include, for example, office space, desks, chairs,\n       telephones, computers, and fax machines.\n\n\n\n\nSEC Controls Over GFE and CAP                                               March 28, 2012\nReport No. 503\n                                        Page 29\n\x0c                                                                                Appendix V\n\n\n\n\nOIG Recommendation 7. The Office of Administrative Services, in conjunction with the\nOffice of Infonnation Technology, should develop periodic training for Contracting\nOfficers, Contract Specialists, and Contracting Officer Representatives that clearly\ndefines and addresses their responsibilities related to government furnished property\nconsistent with Parl 45 of the Federal Acquisition Regulation, Governrnent Property and\nSECR 9-2, Properly Manegement Program.\n\nThe Office of Administrative Services (OAS) concurs. OAS will work with the Office of\nInfonnation Technology to develop periodic training consistent with FAR Part 45, for\nContracting Officers, Contract Specialists, and Contracting Officer Representatives who\nhave Government Furnished Property responsibilities. The training will clearly define\nand address assigned responsibilities relating to government furnished property.\n\nOIG Recommendation 8. The Office of Administrative Services should ensure when\nthe Commission issues Government Furnished Property to contractors, the Contracting\nOfficer (and where appropriate the Contract Specialist), includes language in the\ncontract that specifies:\n\n      \xe2\x80\xa2   The name of the equipment,\n      \xe2\x80\xa2   What equipment will be retained, disposed of, orreturned to the government,\n      \xe2\x80\xa2   When the equipment will be disposed of or returned to the government, and\n      \xe2\x80\xa2   Who can accept the returned equipment. .\n\nThe Office of Administrative Services (OAS) concurs. OAS will include information\nincluding the specified Items in any contracts which contain Government Furnished\nProperty.\n\n\n\n\nSEC Controls Over GFE and CAP                                                  March 28, 2012\nReport No. 503\n                                          Page 30\n\x0c                                                                                Appendix V\n\n\n\n\n                                     MEMORANDUM\n\n\nTO :          Jacqueline Wilson, Assistant Inspector General for Audits, Office of\n               Inspector General\n                                                                                     ",,0-k--C\n                                                                                     \\jJ\' 0 \\)\nFROM:         Thomas A. Bayer, Director, Office of Information TechnoloA. {OIT)J\\\n\nRE:           SEC\'s Controls Over Government Furnished       EqUipmentJn\\~actor\n              Acquired Property, Report No. 503\n\nDATE:          March 26, 2012\n\nThis memorandum is in response to the Office of Inspector General\'s (OIG) Draft\nReport No. 503, SEC\'s Controls Over Government Furnished Equipment and\nContractor Acquired Property. Thank you for the opportunity to review and respond to\nthis report.\n\norG Recommendation 1.        The Office of Administrative Services (OAS), in conjunction\nwith the Office of Information Technology (OIT), should revise SECR 9-3, Report of\nSurvey Program and SECR 9-2, Property ManagementProgram, and clearly define\nproperty that is designated as Government Furnished Property (GFP). OAS and OIT\nshould further identify in SECR 9-3 and 9-2 the particular circumstances that are\nneeded to meet the GFP requirements in accordance with Part 45 of the Federal\nAcquisition Regulation (FAR) .                                                    .\n\norT concurs with this recommendation.\n\norG Recommendation 2. The Office of Information Technology (OIT) should revise its\npolicy to specify how often the office will conduct wall-to-wall inventories of the\nSecurities and Exchange Commission\'s information technology equipment and how\nfrequently the Configuration Management Database (CMDB) should be updated. In\nperforming the \' inventories, OIT should ensure that:\n\n   \xe2\x80\xa2    All relevant fields related\xc2\xb7to asset management in the CMDB are accurate and\n        properly completed, including verifying that individuals using the property items\n        are properly identified within the database;\n   \xe2\x80\xa2    Equipment in Regional Offices is included in the wall-ta-wall inventory; and\n   \xe2\x80\xa2    Fields in the CMDB that capture contract numbers and contract expiration dates\n        using the Active Directory.\n\nOtT concurs with this recommendation.\n\n\n\n                                              1\n\n\n\n\nSEC Controls Over GFE and CAP                                                  March 28, 2012\nReport No. 503\n                                           Page 31\n\x0c                                                                            Appendix V\n\n\n\n\nOIG Recommendation 3. The Office of Information Technology (OIT) should\ncoordinate with the Contracting Officer Representative or other Property Accountability\nOfficer, as designated in the contract, to ensure that government issued property items\nare properly returned to the OIT and the items are promptly removed from the\nConfiguration Management Database when the contractor is no longer using it or when\nthe contract is no longer active.\n\nOIT concurs with this re=mmendation.\n\nOIG Recommendation 4. The Office of Information Technology (OIT) should develop\nand implement procedures for monitoring information technology equipment at the\nRegional Offices that is communicated to appropriate personnel. These procedures\nshould include the Regional Office\'s roles in monitoring information technology\nequipment issued to contractors, including their responsibilities when a contractor\nemployee exits a contract or when the equipment is moved to a new location.\n\nOIT concurs with this recommendation.\n\nOIG Recommendation 5. The Office of Information Technology (OIT) should revise its\npoliCies and procedures to establish clear accountability within the Asset Management\nBranch that is associated with properly tracking and monitoring information technology\nequipment, including documenting the issuance and receipt of information technology\nequipment to specific Securities and Exchange Commission contractors.\n\nOIT concurs with this recommendation.\n\nOIG Recommendation 6. When thfi Office of Information Technology completes the\n2012, wall-to-wall inventory of information technology equipment, it should use this\ninformation to establish a baseline of the equipment in the Configuration Management\nDatabase.\n\n\xc2\xb7OIT concurs. with this recommendation.\n\nOIG Recommendation 7. The Office of Administrative Services, in conjunction with the\nOffice of Information Technology, should develop periodic training for Contracting\nOfficers, Contract Specialists, and Contracting Officer Representatives that clearly\ndefines and addresses their responsibilities related to government furnished property\nconsistent with Part 45 of the Federal Acquisition Regulation, Government Property and\nSECR 9-2, Property Management Program.\n\nOIT concurs with this recommendation.\n\n\n\n\n                                             2\n\n\n\n\nSEC Controls Over GFE and CAP                                              March 28, 2012\nReport No. 503\n                                          Page 32\n\x0c                                                                            Appendix V\n\n\n\n\nOIG Recommendation 9. The Office of Information Technology should issue\nGovernment Furnished Property to contractors only after it obtains proof that the\nvendor\'s contract has language authorizing the contractor to receive the equipment.\n\nOIT concurs with this recommendation.\n\n\n\n\n                                            3\n\n\n\n\nSEC Controls Over GFE and CAP                                              March 28, 2012\nReport No. 503\n                                        Page 33\n\x0c                                                                   Appendix VI\n\n\n     OIG Response to Management\xe2\x80\x99s Comments\n\nOIG is pleased OAS and OIT concurred with all of the report\xe2\x80\x99s recommendations.\nWe are also encouraged that OAS and OIT indicated they will take prompt action\nto address the areas of concern we identified in this report. We believe OAS and\nOIT\xe2\x80\x99s full implementation of OIG\xe2\x80\x99s recommendations will result in significant\nimprovements to SEC\xe2\x80\x99s management controls over government furnished\nequipment and contractor acquired property.\n\n\n\n\nSEC Controls Over GFE and CAP                                      March 28, 2012\nReport No. 503\n                                   Page 34\n\x0c                         Audit Requests and Ideas\n\nThe Office of Inspector General welcomes your input. If you would like to request an\naudit in the future or have an audit idea, please contact us at:\n\nU.S. Securities and Exchange Commission\nOffice of Inspector General\nAttn: Assistant Inspector General, Audits (Audit Request/Idea)\n100 F Street, N.E.\nWashington D.C. 20549-2736\n\nTel. #: 202-551-6061\nFax #: 202-772-9265\nEmail: oig@sec.gov\n\n\n\n\n      Hotline\n      To report fraud, waste, abuse, and mismanagement at SEC, contact the\n      Office of Inspector General at:\n\n      Phone: 877.442.0854\n\n      Web-Based Hotline Complaint Form:\n      www.reportlineweb.com/sec_oig\n\x0c'